SecureMFA_TDM

2.0.0.4

Update-ADFS_RelyingPartyTrust.ps1

                                #Requires -RunAsAdministrator

#Requires -Version 5.0

<#

     .SYNOPSIS

        Update ADFS Relying Party Trust configuration .

    .DESCRIPTION

        Update ADFS Relying Party Trust configuration for SecureMfa Threat Detection Module. Apply customised MFA configuration for Relying Party.

        Dependencies:

        Windows 2019 ADFS service or later.  

    .NOTES

        Version:        2.0.0.4

        Author:         SecureMfa.com

        Creation Date:  02/08/2021

        Purpose/Change: Incorporated into PS module 

    .EXAMPLE

        Update-ADFS_RelyingPartyTrust -RP_Name 'claimapp4' -RPmode 'SecureMFA_TDM'

        This command will update ADFS RelyingPartyTrust configuration to work with SecureMfa Threat Detection Module by converting existing Access Control Policy to compatible IssuanzeAuthorizationPolicy.

    .EXAMPLE

        Update-ADFS_RelyingPartyTrust -RP_Name 'claimapp4' -RPmode 'None' -SecureMfaOtpProvider -CertificateAuthentication

        This command will update ADFS RelyingPartyTrust configuration to use "SecureMFA OTP Provider" and "Certificate authentication" for second-factor authentication. All other MFA providers will not be visible for users when accessing the updated Relying Party.

#>

Function Update-ADFS_RelyingPartyTrust {

Param

(  

    [Parameter(Mandatory=$true)][string]$RP_Name,

    [Parameter(Mandatory=$false)][ValidateSet('SecureMFA_TDM','None')][string]$RPmode='SecureMFA_TDM',

    [Parameter(Mandatory=$false)][Switch]$SecureMfaOtpProvider,

    [Parameter(Mandatory=$false)][Switch]$SecureMfaEmailOtpProvider,

    [Parameter(Mandatory=$false)][Switch]$SecureMfaApiOtpProvider,

    [Parameter(Mandatory=$false)][Switch]$AzureMfaAuthentication,

    [Parameter(Mandatory=$false)][Switch]$CertificateAuthentication,

    [Parameter(Mandatory=$false)][Switch]$MicrosoftPassportAuthentication,

    [Parameter(Mandatory=$false)][Switch]$FormsAuthentication,

    [Parameter(Mandatory=$false)][Switch]$WindowsAuthentication,

    [Parameter(Mandatory=$false)][Switch]$DeviceAuthentication,

    [Parameter(Mandatory=$false)][Switch]$AzurePrimaryAuthentication,

    [Parameter(Mandatory=$false)][Switch]$Force    

)  

    try

    {

    $Error.Clear()

    if (!$Force) {

    $message  = "Do you want to update ADFS RelyingPartyTrust " + $RP_Name + " ?";            

    $question = 'Please confirm?'

    $choices = New-Object Collections.ObjectModel.Collection[Management.Automation.Host.ChoiceDescription]

    $choices.Add((New-Object Management.Automation.Host.ChoiceDescription -ArgumentList '&Yes'))

    $choices.Add((New-Object Management.Automation.Host.ChoiceDescription -ArgumentList '&No'))

    $decision_Validation = $Host.UI.PromptForChoice($message, $question, $choices, 0)

    if ($decision_Validation -eq 1 ) {Write-Host "ADFS RelyingPartyTrust configuration has been cancelled, exiting!" -ForegroundColor Yellow ; break}

    }

    #Validate if RP exist

    if(!(Get-AdfsRelyingPartyTrust -Name $RP_Name)) {throw "RelyingPartyTrust $RP_Name doesn't exist. Please use a valid RelyingPartyTrust name and try again. " ; break}

    #Start RP update

    Get-AdfsRelyingPartyTrust -Name $RP_Name | Set-AdfsRelyingPartyTrust -AccessControlPolicyName $null

    Set-AdfsRelyingPartyTrust -TargetName $RP_Name -IssuanceAuthorizationRules '=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");'

    #SecureMfa Threat Detection Module config

    if($RPmode -eq 'SecureMFA_TDM') {

        Set-AdfsRelyingPartyTrust -TargetName $RP_Name -AdditionalAuthenticationRules 'exists([Type == "http://schemas.microsoft.com/ws/2017/04/identity/claims/riskscore", Value == "low"])=>issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn"); exists([Type == "http://schemas.microsoft.com/ws/2017/04/identity/claims/riskscore", Value == "medium"])=>issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn"); exists([Type == "http://schemas.microsoft.com/ws/2017/04/identity/claims/riskscore", Value == "high"])=>issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn"); exists([Type == "http://schemas.microsoft.com/ws/2017/04/identity/claims/riskscore", Value == "notevaluated"])=>issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'

        # Complete 

        write-host "ADFS RelyingPartyTrust $RP_Name has been configured with SecureMfa Threat Detection Module IssuanzeAuthorizationPolicy." -ForegroundColor Green

    }

    #None config

    else 

    {

    $MFAProvidersList = [System.Collections.ArrayList]::new()

    $AdditionalMFAProviders = "";

    $AdditionalAuthenticationRule = 'c:[] =>issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod",Value = "http://schemas.microsoft.com/claims/multipleauthn");'

    if($FormsAuthentication) {$AdditionalAuthenticationRule += 'c:[] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders",Value = "FormsAuthentication");';$AdditionalMFAProviders += "FormsAuthentication";[void]$MFAProvidersList.Add('FormsAuthentication');}

    if($WindowsAuthentication) {$AdditionalAuthenticationRule += 'c:[] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders",Value = "WindowsAuthentication");';$AdditionalMFAProviders += "WindowsAuthentication";[void]$MFAProvidersList.Add('WindowsAuthentication');}

    if($CertificateAuthentication) {$AdditionalAuthenticationRule += 'c:[] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders",Value = "CertificateAuthentication");';$AdditionalMFAProviders += "CertificateAuthentication";[void]$MFAProvidersList.Add('CertificateAuthentication');}

    if($DeviceAuthentication) {$AdditionalAuthenticationRule += 'c:[] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders",Value = "DeviceAuthentication");';$AdditionalMFAProviders += "DeviceAuthentication";[void]$MFAProvidersList.Add('DeviceAuthentication');}

    if($AzurePrimaryAuthentication) {$AdditionalAuthenticationRule += 'c:[] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders",Value = "AzurePrimaryAuthentication");';$AdditionalMFAProviders += "AzurePrimaryAuthentication";[void]$MFAProvidersList.Add('AzurePrimaryAuthentication');}

    if($AzureMfaAuthentication) {$AdditionalAuthenticationRule += 'c:[] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders",Value = "AzureMfaAuthentication");';$AdditionalMFAProviders += "AzureMfaAuthentication";[void]$MFAProvidersList.Add('AzureMfaAuthentication');}

    if($MicrosoftPassportAuthentication) {$AdditionalAuthenticationRule += 'c:[] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders",Value = "MicrosoftPassportAuthentication");';$AdditionalMFAProviders += "MicrosoftPassportAuthentication";[void]$MFAProvidersList.Add('MicrosoftPassportAuthentication');}

    if($SecureMfaOtpProvider) {$AdditionalAuthenticationRule += 'c:[] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders",Value = "SecureMfaOtpProvider");';$AdditionalMFAProviders += "SecureMfaOtpProvider";[void]$MFAProvidersList.Add('SecureMfaOtpProvider');}

    if($SecureMfaEmailOtpProvider) {$AdditionalAuthenticationRule += 'c:[] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders",Value = "SecureMfaEmailOtpProvider");';$AdditionalMFAProviders += "SecureMfaEmailOtpProvider";[void]$MFAProvidersList.Add('SecureMfaEmailOtpProvider');}

    if($SecureMfaApiOtpProvider) {$AdditionalAuthenticationRule += 'c:[] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders",Value = "SecureMfaApiOtpProvider");';$AdditionalMFAProviders += "SecureMfaApiOtpProvider";[void]$MFAProvidersList.Add('SecureMfaApiOtpProvider');}

    if ($MFAProvidersList.Count -eq 0) {throw "RelyingPartyTrust $RP_Name cannot update with no MFA providers. Please use a switch for the MFA provider and try again. " ; break}

    else 

        {    

            #Update RP 

            Set-AdfsRelyingPartyTrust -TargetName $RP_Name -AdditionalAuthenticationRules $AdditionalAuthenticationRule

            #Update MFA providers lists 

            Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $MFAProvidersList

            # Complete 

            write-host "ADFS RelyingPartyTrust $RP_Name has been configured with custom MFA providers: $AdditionalMFAProviders" -ForegroundColor Green 

        } 

    }  

    }

    catch

    {

        Write-Host "$($MyInvocation.InvocationName): $_" -ForegroundColor red

    } 

}